Forum Discussion

Bob_10976's avatar
Bob_10976
Icon for Nimbostratus rankNimbostratus
Sep 09, 2014

Aduit Log full of Operation not supported Errors

We created an irule to address a security audit that dinged us on "Sensitive Cookie Missing 'HTTPONLY' Attribute". Since then our audit log is full of errors from this irule. Though the irule appears to be working as expected. The errors we are seeing are:

Tue Sep 9 09:28:42 EDT 2014 err local/tmm tmm[5026] 01220001 TCL error: iRule_Name_HTTPONLY - Operation not supported (line 2) invoked from within "HTTP::header remove "Set-Cookie""

Tue Sep 9 09:28:40 EDT 2014 err local/tmm tmm[5026] 01220001 TCL error: iRule_Name_HTTPONLY - Operation not supported (line 1) invoked from within "HTTP::header remove "Set-Cookie""

I've copied the irule below, any help in solving this would be greatly appreciated! Also we are running version 10.2.x and our device can not be upgraded to 11.x


    when HTTP_RESPONSE {
        set ck [HTTP::header values "Set-Cookie"]
        HTTP::header remove "Set-Cookie"

    foreach acookie $ck {      
        if { [string tolower $acookie] contains "httponly" } {
            HTTP::header insert "Set-Cookie" "${acookie}"
  } else {
     HTTP::header insert "Set-Cookie" "${acookie}; HttpOnly"
  }
 }
    }

application delivery
devops
httponly
irule
iRules
LTM
v10.2
  • BinaryCanary_19's avatar
    BinaryCanary_19
    Historic F5 Account
    Sep 09, 2014

    This will require testing, but one possibility is that the message is logged whenever HTTP::header remove "Set-Cookie" does not find any such header, which is probably a very common occurrence, since cookies are not set on every response.

     

  • Bob_10976's avatar
    Bob_10976
    Icon for Nimbostratus rankNimbostratus
    Sep 09, 2014

    Thanks for the feedback aFanen01.. Any suggestion on how I could modify the irule so that if it does not find any such header it simply bypasses the irule?

     

    Thanks, Bob

     

  • BinaryCanary_19's avatar
    BinaryCanary_19
    Historic F5 Account
    Sep 10, 2014

    Did you say "audit" log, or ltm log?

     

    If the message is in the audit log, it is unlikely to be related to this irule. Can you post a snippet of the concerned log file?

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Sep 10, 2014

    You can check to see if the $ck variable isn't empty;

    if { $ck ne "" } {
 ...continue... 
else { return }
  • Bob_10976's avatar
    Bob_10976
    Icon for Nimbostratus rankNimbostratus
    Sep 10, 2014

    aFanen01.. I did say Audit log, however I should have said the "Local Traffic" log via the browser interface GUI..

     

    What Lies Beneath.. Thanks for the suggestion! However I'm not much of an iRule/coder so to be completely honest I'm not exactly sure how/where to insert that code into the existing rule. Would you mind elaborating on where that goes in the iRule..

     

    Thanks you!! Bob

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Sep 10, 2014

    This will do it I think, sorry no way to test right now;

    when HTTP_RESPONSE {
 set ck [HTTP::header values "Set-Cookie"]
 if { $ck ne "" } {
  HTTP::header remove "Set-Cookie"

  foreach acookie $ck {
   if { [string tolower $acookie] contains "httponly" } {
    HTTP::header insert "Set-Cookie" "${acookie}"
    }
   else {
    HTTP::header insert "Set-Cookie" "${acookie}; HttpOnly"
    }
   }
  }

 else { return }

}
  • Bob_10976's avatar
    Bob_10976
    Icon for Nimbostratus rankNimbostratus
    Sep 10, 2014

    Thank you What Lies Beneath.. That seem to do the trick.. I'm not seeing the errors anymore.

     

    Bob